How user profile synchronization works in Office 365 services

2017-07-07 | Martina Grom

Office 365 users often ask about user profiles in various Office 365 services and where to change what. Since the Office 365 products do have a history, there are different places where user profile data is stored and how specific properties are synchronized. So, we at atwork thought that it makes sense to inform about the current user profile status in Office 365 with this article.

AAD Basics

The basis of all Office 365 services is the central Azure Active Directory (AAD) that stores all users, groups, licenses and relations of an Office 365 tenant (*.onmicrosoft.com). Entities can be managed in the Office-Portal, with scripts (PowerShell, etc.) or custom code (accessing the Microsoft API’s), or in a hybrid scenario with AAD Connect or ADFS. Once a user is created in AAD, there are a bunch of user properties available, as the User Principal Name (UPN, which is the login name), the person’s name and address data, Office 365 licenses, and more. All Office 365 products require such a user identity for sign-in. Once logged in, users benefit from Single-Sign-On (SSO) experience with one single identity.

Automatic synchronization

Depending on the Office 365 product, there are multiple stores for the user identity. For example, Exchange stores user properties in the user’s mailbox, SharePoint is using it’s own SQL database, Skype gets data from Exchange, Yammer from AAD, and so on. Since this is caused by the product’s history, when they were “islands“, the trick is that the central user profile gets synchronized to the different product stores automatically. Now, Microsoft is doing that in the background with sync services for each Office 365 tenant. Customers don’t need (and cannot) do anything. These tasks are running in the background and Microsoft manages them. The good part is, the most important user profile data is available in the products automatically.

So, let’s have a look into the profile update and the product details of the user profile sync.

Where to update the user profile?

Office 365 users can update (some of) their user properties in the web portal at portal.office.com by opening the user menu in the top right corner. Here, select About me.

Now, in the Delve site, click Update profile.

Here, the user can update specific properties. Basic user data as name, job role and department cannot be modified, these must be set by an admin. But there exist more user properties as birthday, mobile and home phone, education, hobbies and skills. The following screen shots show these options.

Just admins can update all user settings

Note: Admins cannot change the user profile picture in the portal. This can be done with PowerShell or custom code.

So, after the user interactions, let’s get back to the Office 365 services and the user profile information.

Exchange Online

Exchange is (still) using it’s own Exchange databases (*.edb, *.log and *.chk). Every mailbox has a user associated with. User properties are stored in the Exchange databases, as for example the user profile picture. In comparison to AAD, Exchange can store high resolution user profile pictures. User photos can get updated with the Set-UserPhoto Exchange cmdlet and can have up to 648x648 pixels resolution, while the AAD picture can only be up to 96x96 pixels and a maximum of 100KB.

Exchange can store CustomAttributes and more mailbox-relevant properties as aliases, mailbox settings as quotas and permissions, forwards, rules and so on. These properties are only accessible in Exchange while the most common properties as UPN, person and address data are automatically synchronized from AAD.

So, an update of the AAD user object will be updating the user’s profile in the Exchange mailbox – but this usually takes some time. My experiences are from some minutes up to some hours. So, be patient and wait, till you see the updates changed in mailboxes and address books.

Skype for Business

In the past, when the product name was still Lync, data and many settings have been stored in the Windows registry and in local folders. But in SFB, user properties are taken from AAD or Exchange. Of course, there are SFB policies or other product-specific settings to be configured, but no user profile data. Talking about user profile pictures above, there’s an interesting info: If a user owns an Exchange mailbox, the high resolution user profile picture is displayed from the mailbox (Exchange 2013 and later). Otherwise the low resolution user profile picture is used from AAD (see here). So, the best way is to have an Exchange mailbox.

SharePoint Online

As SharePoint is running on it’s SQL databases, user profile data is stored in the content database of MySites. Again, the most common user profile properties are automatically synced. In the SPO user management page, the small database-linked icon informs which property is synchronized (or not if there’s no icon in front of the field name). Pls. see this article to see which user properties are synced into which SPO-user fields.

Also, security groups are synced to SPO and can therefore be used, for example for setting permissions in SPO sites.

Yammer

Yammer is a newer family member to Office 365 and comes with it’s own databases as well. If you have enabled single-sign-in with Office 365, users get synchronized from AAD to Yammer. Again, updates are one-way from AAD to Yammer. So here are the facts:

Updates are one-way, from Azure AD to Yammer. Any user profile changes made in Yammer are not be updated back to Azure AD.

The user creation is done when the users first opens Yammer.

Azure AD overwrites Yammer user profiles. If a user has modified his Yammer profile, parts will be overwritten by AAD sync.

The user profile pictures are be updated from Office 365 to Yammer (after the user logs into Yammer).

Notes

Once user data is in the cloud, the synchronization services take care of updating new users, changed and deleted users and groups to the Office 365 products. If this does not work, wait for some hours up to one day. Then open a case with Microsoft support.

Summary

The good story is that IT-Admins usually don’t need to do anything since the most common user profile gets automatically synced between AAD and the Office 365 products (one-way, there’s no write back). In some scenarios, hybrid makes sense and the flow of user data starts in the on-premises (often HR) system to AD and then via AAD Connect to the cloud.

I hope, this article delivers some background information about user profiles in Office 365.